Uploaded by Jack Daniels

pos-system-breaches

advertisement
A Trend Micro Research Paper
Point-of-Sale System Breaches
Threats to the Retail and Hospitality Industries
Trend Micro Incorporated
Trend Micro | Point-of-Sale System Breaches
Contents
PoS Systems in Retail/Hospitality Industry Networks....................................................................1
PoS Device and Network Setup Weaknesses................................................................................2
Hacking PoS Devices.........................................................................................................2
Hacking Network Communications.....................................................................................3
Targeting Specific Servers..................................................................................................4
Point of Entry and Lateral Movement in a Network.................................................5
Find an Update Mechanism or Another Way to Deploy Malware on
a Large Scale..........................................................................................................6
Data Exfiltration.......................................................................................................7
Common PoS Device Malware and How They Scrape and Send Credit Card
Information Back to Attackers.........................................................................................................8
ALINA..................................................................................................................................9
vSkimmer............................................................................................................................9
Dexter.................................................................................................................................9
FYSNA................................................................................................................................9
Decebel.............................................................................................................................10
BlackPOS.........................................................................................................................10
TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice.
The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on
or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend
Micro reserves the right to modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise
related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the
translation are not binding and have no legal effect for compliance or enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind
as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend
Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall
be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising
out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information
constitutes acceptance for use in an “as is” condition.
Trend Micro | Point-of-Sale System Breaches
Associated Threats...........................................................................................................10
Impact of PoS Hacks to Industry and Consumer Public............................................................... 11
What Should Consumers Do?......................................................................................................11
Check Your Bank and Credit/Debit Card Statements....................................................... 11
Ask for a Chip-and-PIN Card............................................................................................11
How to Secure Networks Against PoS System Breaches............................................................12
How to Secure PoS Devices.............................................................................................12
How to Secure Networks..................................................................................................12
Cloud and Data Center Security Solutions for the Retail and
Hospitality Industries.............................................................................................12
Custom Defense Security Solutions for the Retail and Hospitality
Industries..............................................................................................................13
What to Check in Third-Party Vendor Agreements...............................................14
3
Trend Micro | Point-of-Sale System Breaches
PoS Systems in Retail/Hospitality Industry Networks
Point-of-sale (PoS) systems have been around in one form or another for decades. Businesses in
the retail and hospitality industries use these systems not only to accept payment, but to provide
other operational information such as accounting, sales tracking, and inventory management.
These systems are also used to improve the customer experience through customer loyalty
programs and suggestions.
From a security perspective, the most immediate risk to businesses and customers lies in accepting
payments. The information customers hand over, if captured, can be used by cybercriminals to
commit credit card fraud. Risk of exposure is the primary reason why the Payment Card Industry
Security Standards Council (PCISCC) has established data security standards for organizations
that handle the information of credit, debit, and ATM cardholders.1
PoS systems require some sort of connection to a network in order to contact external credit card
processors. This is necessary in order to validate credit card transactions. How this connection is
provided may depend on the store in question. For small businesses, this may be provided via a
cellular data connection.
However, larger businesses that wish to tie their PoS with other back-end systems may connect
the former to their own internal networks. In addition, in order to reduce costs and simplify
administration and maintenance, PoS machines may be remotely managed over these internal
networks.
Many PoS terminals are built using embedded versions of Microsoft™ Windows®. This means
that it is trivial for an attacker to create and develop malware that would run on a PoS terminal, if
he can gain access to that terminal and bypass or defeat any running security solutions present.
Sufficiently skilled and determined attackers can thus go after a business’s PoS terminals on a
large scale and compromise the credit cards of thousands of users at a time. The same network
connectivity can also be leveraged to help exfiltrate any stolen information. This is not just a
theoretical risk, as we have observed multiple PoS malware families in the wild.
1 PCI Security Standards Council, LLC. (2014). PCI Security Standards Council. “PCI SSC Data Security Standards Overview.”
Last accessed February 13, 2014, https://www.pcisecuritystandards.org/security_standards/.
1
Trend Micro | Point-of-Sale System Breaches
Figure 1: Basic network setup for PoS systems
PoS Device and Network Setup Weaknesses
PoS systems are difficult to secure, mostly because of their role and exposed location in the
network. They handle critical information and at the same time require being managed from
remote locations, a scenario typical of corporate environments that implement software package
management solutions.
Industry-established standards such as the PCI Data Security Standard (DSS) are set up to
ensure that the systems—and the information they handle—remain safe from unauthorized
access. However, as the whole computing industry has learned through the years—it only takes
one weakness to infiltrate a network.
Hacking PoS Devices
A PoS device can be considered the most important landmark in any retail location, as it is
where all purchases are finalized. An attacker can find a way to infect a PoS device even
before deployment, for instance, in the vendor’s factory shop floor. While there have been
no specific reports for PoS devices, there have been cases of newly purchased devices
such as digital frames, navigation devices, smartphones, and even MP3 players found to
contain malware.2
2 Bernadette Irinco. (December 26, 2008). TrendLabs Security Intelligence Blog. “Yet Another Digital Picture Frame Malware
Incident.” Last accessed February 13, 2014, http://blog.trendmicro.com/trendlabs-security-intelligence/yet-another-digital-pictureframe-malware-incident/; Eric Avena. (January 29, 2007). TrendLabs Security Intelligence Blog. “Trojans Loose on Navigation
Devices.” Last accessed February 13, 2014, http://blog.trendmicro.com/trendlabs-security-intelligence/trojans-loose-onnavigation-devices/; Danielle Veluz. (March 12, 2010). TrendLabs Security Intelligence Blog. “Malware Gets Smart with Vodafone
Smartphone.” Last accessed February 13, 2014, http://blog.trendmicro.com/trendlabs-security-intelligence/malware-getssmart-with-vodafone-smartphone/; Ryan Flores. (October 18, 2006). TrendLabs Security Intelligence Blog. “McDonald’s Japan
Recalls Promotional MP3 Players.” Last accessed February 13, 2014, http://blog.trendmicro.com/trendlabs-security-intelligence/
mcdonald27s-japan-recalls-promotional-mp3-players/.
2
Trend Micro | Point-of-Sale System Breaches
PoS devices are normally “guarded” by an employee during operating hours so getting to a
PoS device and infecting it with malware can prove difficult for an attacker though still very
doable. All it takes is a disgruntled employee or a well-disguised attacker to gain access
to a system and manually install an information-stealing malware into it. Attackers may
also take advantage of “self-service” terminals and PoS locations that are not as closely
monitored as other stations.
Several years ago, we also reported about the sale of fake PoS devices in the cybercriminal
underground.3 These fake devices were designed to print out default receipts that inform
the counterfeiter’s victim that an error has prevented the transaction from proceeding when
in fact the device has already skimmed the data from his credit and debit cards.
Figure 2: PoS device weaknesses
Hacking Network Communications
Network-level hacking is another technique seen used in the past wherein attackers may
try to check for access to the PoS system through the network that the systems belong
to. For example, in a hacking case that affected U.S. merchants between 2009 and 2011,
attackers were able to conduct a port scan of the systems and identify those with remote
desktop access software installed, thus gaining access to them.4
3 Maxim Goncharov. (June 23, 2010). TrendLabs Security Intelligence Blog. “For Sale: Fake PoS Devices.” Last accessed
February 13, 2014, http://blog.trendmicro.com/trendlabs-security-intelligence/for-sale-fake-pos-devices/.
4 U.S. Department of Justice. (September 17, 2012). The United States Department of Justice. “Two Romanian Nationals Plead
Guilty to Participating in Multimillion Dollar Scheme to Remotely Hack into and Steal Payment Card Data from Hundreds of U.S.
Merchants’ Computers.” Last accessed February 13, 2014, http://www.justice.gov/opa/pr/2012/September/12-crm-1124.html.
3
Trend Micro | Point-of-Sale System Breaches
Network-level hacking can also be made possible through different methods. One can be
through shared connections between systems in an establishment such as PoS systems
that share the same connection with the Wi-Fi hot spot provided to customers. These PoS
systems can be using Wi-Fi such as in a “back-office” area to communicate with servers.
The PoS systems can also be using a closed Wi-Fi network but attackers can still be able
to crack its passphrase. Attackers can also find an open port on a switch and add their own
Wi-Fi access point.
Such security holes are products of noncompliance. The security standard for payment
card processing requires a secure connection for the PoS system, encryption of card data,
authentication for remote access to and from PoS machines, and many other methods that
ensure that transactions remain safe from unauthorized access.
Figure 3: Network-level hacking
Targeting Specific Servers
Infiltrating networks is possibly the most sophisticated method an attacker can use in order
to get in to a PoS device but it also promises the biggest payout. Unlike device- and
network-level infiltration, a successful server breach will give attackers access to not just a
single PoS system or a network of PoS systems in a single location, but, depending on the
architecture, possibly all PoS systems controlled by the retailer in multiple locations. This
is not without additional difficulties, however, as they need to gain network access before
they can reach the servers. It may also take some work for attackers to know the available
software on the server and the means to exploit it.
4
Trend Micro | Point-of-Sale System Breaches
Figure 4: Hacking in to back-end office systems
Point of Entry and Lateral Movement in a Network
In a typical attack, a target receives a socially engineered message such as an email
or an instant message that encourages him to click a link or open a file. The links
and files sent by attackers contain a piece of malware that exploits vulnerabilities in
popular software such as Adobe® Reader® (e.g., .PDF files) and Microsoft Office®
(e.g., .DOC files). They may also send .EXE files that come with false icons and
file name extensions. The payload of these exploits is a piece of malware that is
silently executed on the target’s computer. This allows the attackers to take control
of and obtain data from the compromised computer, ultimately establishing the
beachhead.
The attackers use this beachhead to laterally move throughout the network and
finally infiltrate their ultimate target—database servers, computers with important
documents, or PoS systems in this case. They typically download remote access
Trojans (RATs) or tools that allow them to execute shell commands in real time
on the compromised host. In addition, they may seek to elevate their privileges
that they could then use in techniques such as “pass-the-hash” and seek out key
targets.5 In this particular scenario, the key target may be a system that will allow
the attacker to deploy malware to all PoS systems within the network.
5 Trend Micro Incorporated. (2013). “Lateral Movement: How Do Threat Actors Move Deeper into Your Network?” Last accessed
February 13, 2014, http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf.
5
Trend Micro | Point-of-Sale System Breaches
Figure 5: Point of entry and lateral movement
As the attackers move throughout the target’s network, they explore and collect
information that can be used in future attacks or prepared for exfiltration. They may
also set up additional back doors in case the others are discovered.
Find an Update Mechanism or Another Way to Deploy Malware on a Large
Scale
A server-level attack may involve the misuse of any management system used
by the retailer to monitor or maintain all PoS systems. It may be one to manage
system updates, collect accounting data from branches, or even one that monitors
the man-hours employees put in. Any system that has control or access to all PoS
systems is a potential target for attackers that aim for a server-level infiltration.
Once attackers gain access to this system, they gain access to the entire network
of PoS systems, and are enabled to deploy malware that will steal customer
information.
6
Trend Micro | Point-of-Sale System Breaches
Figure 6: Spreading PoS malware to devices
Data Exfiltration
After the malware is installed on the PoS systems and the information is stolen, the
next critical step for attackers is to get the stolen data from the target’s infrastructure
and under their control. In order to accomplish this objective without getting caught,
the attackers will use a variety of techniques to obfuscate their activities. They can,
for instance, collect and compress the desired data then split the compressed file
into chunks that can be transmitted to locations under their control. A variety of
transmission methods are used such as File Transfer Protocol (FTP) and HTTP.
Attackers can, however, also use methods such as exfiltrating data by using and
abusing the Tor anonymity network.
Alternatively, threat actors may use the built-in file transfer functionality that
comes with some remote management tools in order to pass off their outside
communications as legitimate. Some remote access tools are legitimately used
to provide remote technical support assistance. Because such tools are already
available in the system, solutions such as white-listing may not detect the activity,
suspicious or otherwise.
7
Trend Micro | Point-of-Sale System Breaches
Figure 7: Data aggregation and exfiltration
Common PoS Device Malware and How They Scrape and Send
Credit Card Information Back to Attackers
To comply with PCI DSS requirements, the payment card industry uses a set of security standards
that enforce end-to-end encryption of sensitive payment data captured from payment cards when
this data is transmitted, received, or stored. However, when the information is first read from the
card, it can be found inside the PoS device’s memory in unencrypted form. PoS malware exploit
this by capturing the payment card information directly from the memory; this behavior is known
as “RAM scraping.”
8
Trend Micro | Point-of-Sale System Breaches
Several malware families that target PoS devices are known to exist in the wild. These families are
all widely available in underground marketplaces and have been used in various attacks.
ALINA
One of the more basic PoS families known is the ALINA malware family, also known as
“Trackr.”6 This malware scans the system’s memory to check if the contents match regular
expressions, which indicate the presence of card information that can be stolen. These are
sent to the command-and-control (C&C) server via an HTTP POST command.
vSkimmer
The vSkimmer malware family is easy to obtain for cybercriminals, as a cracked builder and
control panel is readily available. As is the case with most information-stealing malware, it
uploads any data it captures to its own C&C server. However, if it does not find its server,
it has another data exfiltration method. It checks for the presence of a removable drive
with the label “KARTOXA007.” If this drive is found, it drops a file that contains any stolen
information into it, allowing a method of offline data exfiltration.
We detect vSkimmer malware under the HESETOX family.7
Dexter
Dexter is one of the most potent PoS malware families in use today, in part because its
information theft activities are not limited to just stealing card information. It also steals
various system information and installs a keylogger onto affected systems.
In a corporate environment, this is particularly dangerous, as this could mean that even
corporate information entered into PoS systems can be stolen by Dexter. Some Dexter
versions are known in the underground as “Stardust” and detected under the DEXTR
family.8
FYSNA
The FYSNA malware family, also known as “ChewBacca,” is in many respects, fairly typical.9
However, it adds a new wrinkle to PoS malware by using the Tor network to communicate
with its C&C server in a secure manner. This can make detection and investigation of any
breach more difficult by making all of the network traffic made by the malware extremely
difficult to thoroughly analyze.
6 Trend Micro Incorporated. (2014). Threat Encyclopedia. “BKDR_ALINA.NG.” Last accessed February 13, 2014, http://aboutthreats.trendmicro.com/us/malware/bkdr_alina.ng.
7 Trend Micro Incorporated. (2014). Threat Encyclopedia. “BKDR_HESETOX.CC.” Last accessed February 13, 2014, http://
about-threats.trendmicro.com/us/malware/bkdr_hesetox.cc; Trend Micro Incorporated. (2014). Threat Encyclopedia. “BKDR_
HESETOX.A.” Last accessed February 13, 2014, http://about-threats.trendmicro.com/us/malware/bkdr_hesetox.a.
8 Trend Micro Incorporated. (2014). Threat Encyclopedia. “BKDR_DEXTR.A.” Last accessed February 13, 2014, http://aboutthreats.trendmicro.com/us/malware/bkdr_dextr.a; Trend Micro Incorporated. (2014). Threat Encyclopedia. “BKDR_DEXTR.C.”
Last accessed February 13, 2014, http://about-threats.trendmicro.com/us/malware/bkdr_dextr.c; Trend Micro Incorporated.
(2014). Threat Encyclopedia. “BKDR_DEXTR.D.” Last accessed February 13, 2014, http://about-threats.trendmicro.com/us/
malware/bkdr_dextr.d; Trend Micro Incorporated. (2014). Threat Encyclopedia. “TSPY_DEXTR.A.” Last accessed February 13,
2014, http://about-threats.trendmicro.com/us/malware/tspy_dextr.a.
9 Trend Micro Incorporated. (2014). Threat Encyclopedia. “TSPY_FYSNA.A.” Last accessed February 13, 2014, http://aboutthreats.trendmicro.com/us/malware/TSPY_FYSNA.A.
9
Trend Micro | Point-of-Sale System Breaches
Decebel
The Decebel malware family adds well-defined evasion techniques to PoS malware.
Cybercriminals are aware that researchers are looking into this emerging threat and so
are accordingly designing their wares. Decebel checks if sandboxing or analysis tools
are present on a machine before running. This aims to make detection and analysis more
difficult, buying attackers more time before their scheme is eventually discovered and shut
down.
As is the case with other PoS malware families, Decebel uploads stolen information to its
C&C server via HTTP POST. This family is detected as DECBAL.10
BlackPOS
BlackPOS, also known as the “Memory Form Grabber,” is the most well-known PoS malware
family. It is easily available as its source code has previously been leaked online. Like all
PoS malware, BlackPOS checks the PoS terminal’s memory for sensitive information to
steal. However, even here, BlackPOS shows some sophistication, as some variants are
only set to carry out information theft between 10 a.m. and 5 p.m. Any stolen information is
stored in a .TXT or .DLL file, depending on the variant.
Unlike other malware families that directly upload stolen information to a C&C server,
BlackPOS uses FTP to upload information to a server of the attackers’ choosing. This
allows attackers to consolidate stolen data from multiple PoS terminals on a single server,
allowing for more control over data exfiltration.
Associated Threats
PoS malware are rarely, if ever, used without other malware to help carry out attacks. It
is worth noting that PoS malware are almost never used on their own. Other malware
components are frequently used to carry out PoS attacks. One example are Internet Control
Messaging Protocol (ICMP) listening malware—PoS malware will rarely directly transmit
any stolen data to a malicious or compromised server, as this would be too obvious and
easily blocked. Frequently, the information is sent to a compromised server within the target
organization. This “aggregator” of stolen information will then be the one that exfiltrates the
data out of the network, making detection of the malicious traffic more difficult.
Shellcode-loading malware may also be used in a PoS attack. Command and control
for PoS malware is difficult, as again communications to an external server may not be
possible. Instead, a compromised server inside the network acts as a C&C server.
This C&C server sends shellcode across the network to PoS machines where they are
loaded and executed on affected machines. This allows for covert command-and-control
and renders forensic investigation of any attack more difficult.
10 Trend Micro Incorporated. (2014). Threat Encyclopedia. “TSPY_DECBAL.A.” Last accessed February 13, 2014, http://aboutthreats.trendmicro.com/us/malware/TSPY_DECBAL.A.
10
Trend Micro | Point-of-Sale System Breaches
Impact of PoS Hacks to Industry and Consumer Public
A major effect of PoS hacks would be the possibility of identity theft. Personal and sensitive
information stolen from credit and debit cards can be used to impersonate unsuspecting consumers.
These victims may soon encounter problems such as fraudulent purchases, financial loss, and
damaged credit standing. Trend Micro research into different cybercriminal underground forums
has revealed an ongoing, thriving, organized economy of buyers and sellers of stolen information.
Furthermore, the time, money, and effort to repair such damage can be significant—the average
amount of time spent addressing fraud ranged from 11 to 37 hours in 2012. Victims may not
immediately receive replacement cards, as reissuing cards can be a costly process for banks,
ranging from US$3 to US$5 per card.
Compromised banks and retailers may experience backlash from PoS hacks. The public may opt
to turn to other banks and retailers. A report from Javelin Strategy & Research shows that 15% of
fraud victims change behaviors and avoid smaller online merchants.11 Such breaches may also
lead to class-action lawsuits. Compromised organizations may also find their value drop, if they
are publicly traded.
What Should Consumers Do?
While consumers cannot control whether or not their favorite business establishments are secure
against PoS malware, they can take some steps to ensure that their accounts are not put at
unnecessary risk.
Reputable merchants will inform users about any potential breaches as well as absorb any financial
losses as a direct result of the fraud. However, users may be defrauded even before merchants
become aware of any problem so they should be on guard in any case.
Check Your Bank and Credit/Debit Card Statements
It is a good idea for users to regularly check their bank statements for any anomalous
transaction. Online banking sites allow users to check recent transactions. Going over this
list on a regular basis should allow users to spot and dispute fraudulent transactions made
on their cards.
If users spot any fraudulent transaction, they should immediately report this to their banks
and ask that the credit card in question be suspended and replaced.
Ask for a Chip-and-PIN Card
In many countries, both banks and retailers have shifted to using “chip-and-personal
identification number (PIN)” or Europay, MasterCard, and Visa (EMV) cards, which
primarily use an embedded chip to hold the information on the credit card instead of a
magnetic strip.
11 Javelin Strategy & Research. (February 20, 2013). Javelin Strategy & Research: Strategic Insights into Customer Transactions.
“More Than 12 Million Identity Fraud Victims in 2012 According to Latest Javelin Strategy & Research Report.” Last accessed
February 13, 2014, https://www.javelinstrategy.com/news/1387/92/1.
11
Trend Micro | Point-of-Sale System Breaches
EMV cards offer improved security over conventional magnetic strip cards. However, not
all banks offer EMV cards to all of their customers. In these cases, users should check with
their banks if EMV cards are available; many banks will issue these cards upon request.
How to Secure Networks Against PoS System Breaches
How to Secure PoS Devices
•
Implement hardware-based point-to-point encryption
•
Limit access to the Internet
•
Disallow remote access
•
Routinely delete cardholder data
•
Deploy the latest version of OS with updated patches
•
Employ white-listing in order to lock PoS systems down only to its intended uses
•
Limit internal access to the physical PoS device
•
Enforce policies regarding the physical repair and/or upgrade of the PoS device
•
Deploy security software and keep it updated with the latest signatures
How to Secure Networks
Cloud and Data Center Security Solutions for the Retail and Hospitality
Industries
In a retail/hospitality environment, there are many potential attack vectors to consider
with the increasing number of interaction channels for customers such as websites,
PoS systems, mobile apps, and social media. There are multiple security controls
required in order to cover attack vectors, including controls for your applications,
servers, and networks. These include Web applications and servers.
At Trend Micro, we recommend the following controls in your data center:
•
Restrict communication in and out of your environment to only what is
required.
•
Ensure that you are constantly protected against vulnerabilities in both
systems and applications, even in-between patch cycles.
•
Identify when a system component has changed.
•
Protect against malware and malicious URLs.
•
Encrypt communication between applications and data.
12
Trend Micro | Point-of-Sale System Breaches
•
Continuously scan Web applications for potential vulnerabilities.
To address risks within your evolving data center, Trend Micro provides a security
solution that is open, automated, and highly scalable, that fits your existing
infrastructure, seamlessly integrating with key environments such as VMware or
cloud environments such as Amazon Web Services.
Changes in system components can occur for many reasons, many of which are not
due to an attack against your system. That said, monitoring systems such as PoS
devices for changes is becoming more and more critical to your security controls.
It can not only provide an early indication of a problem, it is actually required by
various compliance standards such as the PCI DSS.
Trend Micro™ Deep Security offers File Integrity Monitoring capabilities to monitor
critical OS and application files such as directories, registry keys, and values to
detect and report malicious and unexpected changes in real time. These include
changes to PoS systems.
Deep Security can restrict communication in and out of your environment through
a firewall policy that can be tailored for specific server requirements and protect
against both inbound and outbound communication. Its firewall capabilities offer
logging and alerting to make it easier to troubleshoot and manage.
With your business demanding constantly evolving application use, it is often
difficult to keep up with patching systems against known vulnerabilities. This is
where Deep Security Intrusion Prevention capabilities that protect against potential
exploits on vulnerabilities are important to have on the list. An important capability
of our intrusion prevention is the ability to automatically update security policies to
ensure the right protection is applied, even before you have had a chance to patch.
Finally, Deep Security Anti-Malware that includes Web reputation detection will not
only protect against malware but also detects and protects against known malicious
URLs.
When those applications are available through the Web and provide customers,
partners, or global employees the ability to share information, detection of potential
threats or occasional penetration testing is not enough, especially as the number of
apps increases. We offer Deep Security for Web Apps, a comprehensive, integrated
software-as-a-service (SaaS) offering that continuously detects vulnerabilities,
delivers actionable security insight, and protects applications with Secure Sockets
Layer (SSL) certificates to encrypt transactions and communications, as well as
Intrusion Prevention and Web Application Firewall (WAF) rules.
Custom Defense Security Solutions for the Retail and Hospitality
Industries
In any attack, besides identifying components using endpoint or server security
solutions, a network approach is also favored. Trend Micro Custom Defense
solutions can support a retail organization in a number of ways.
13
Trend Micro | Point-of-Sale System Breaches
•
Additional malware and possibly RATs downloaded to a server to
facilitate lateral movement: Trend Micro™ Deep Discovery can detect
the download of malware and RATs without antivirus signatures.
•
Lateral movement and establishment of control points: Deep Discovery
can detect certain lateral movements and the spread of malware.
•
C&C communications: Deep Discovery can detect C&C communication,
both inbound and outbound.
•
PoS infection (malware are pushed to the PoS systems via network
shares): Deep Discovery can detect both external and internal C&C
communication.
•
PoS systems download card data to the internal data storage server:
Deep Discovery can detect the internal data movement.
•
Data exfiltration to external server via FTP: Deep Discovery can detect
bulk data exfiltration.
What to Check in Third-Party Vendor Agreements
In several cases, businesses may opt to outsource their payment processing
function. This presents an additional layer that can be found vulnerable to exposure.
Therefore, organizations must make sure that vendors are contractually bound to
comply with their security-related requirements.
The agreement must cover how customer data is captured, stored, processed, and
transmitted, including baseline compliance requirements such as to the PCI DSS.
For instance, the contract must require encryption in all stages of transmitting data.
It may also set forth requiring background checks on employees with access to
customer information databases.
The agreement must also clearly outline who to contact for service and support
escalation when anomalies and security incidents arise. Anticipating various security
breach scenarios is key to coming up with third-party outsourcing agreements
that indicate responsibilities, accountabilities, liability limitations, or grounds for
declaring a breach of contract.
14
Trend Micro Incorporated, a global leader in security software, strives to make the
world safe for exchanging digital information. Our innovative solutions for consumers,
businesses and governments provide layered content security to protect information
on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are
powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection
Network™, and are supported by over 1,200 threat experts around the globe. For more
information, visit www.trendmicro.com.
©2014 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend
Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
225 E. John Carpenter Freeway, Suite 1500
Irving, Texas 75062 U.S.A.
Phone: +1.817.569,8900
Download